wshrat | a296d00447ab6ebd54fb78afdeab1605246b0913130b870571ccaf7ae0117033

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2023 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO230317_COPY.vbs
Size

206KB
MD5

77a541634d4f73b6b242bdecd53c1231
SHA1

e5d9ae28229954bb0097e057a45f957913ac163f
SHA256

a296d00447ab6ebd54fb78afdeab1605246b0913130b870571ccaf7ae0117033
SHA512

ddb659c6ff0df990146ee5af48421161e15ab28c331ebc26bca5537859e390234d6f299e9d4f5a1513ef0c988042ef4c315f0a9e2dd5503f5c26f29827770e7d
SSDEEP

768:DMYP16f3e2+DCn6F4jTF9aieJHRzzFaKE/x0hGmVxYAYe3BH7LFHY:IYQngUKS

Score

10^/10

wshrat persistence trojan

Malware Config

Extracted

Family

wshrat

http://chongmei33.publicvm.com:7045

Signatures

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blocklisted process makes network request 25 IoCs

flow	pid	Process
26	3752	WScript.exe
31	3752	WScript.exe
34	3752	WScript.exe
36	3752	WScript.exe
38	3752	WScript.exe
45	3752	WScript.exe
46	3752	WScript.exe
47	3752	WScript.exe
55	3752	WScript.exe
65	3752	WScript.exe
69	3752	WScript.exe
71	3752	WScript.exe
72	3752	WScript.exe
73	3752	WScript.exe
74	3752	WScript.exe
82	3752	WScript.exe
87	3752	WScript.exe
88	3752	WScript.exe
89	3752	WScript.exe
90	3752	WScript.exe
91	3752	WScript.exe
92	3752	WScript.exe
93	3752	WScript.exe
94	3752	WScript.exe
95	3752	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO230317_COPY.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO230317_COPY.vbs	WScript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO230317_COPY = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\PO230317_COPY.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO230317_COPY = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\PO230317_COPY.vbs\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO230317_COPY.vbs"
1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO230317_COPY.vbs

Filesize
206KB

MD5
77a541634d4f73b6b242bdecd53c1231

SHA1
e5d9ae28229954bb0097e057a45f957913ac163f

SHA256
a296d00447ab6ebd54fb78afdeab1605246b0913130b870571ccaf7ae0117033

SHA512
ddb659c6ff0df990146ee5af48421161e15ab28c331ebc26bca5537859e390234d6f299e9d4f5a1513ef0c988042ef4c315f0a9e2dd5503f5c26f29827770e7d

Download Submit